Mobile App Attacks: No Malware, No Problem

Attackers increasingly are exploiting the trust users place in brand names and companies they do business with in order to commit fraud without the need to install any malware code. Users have gotten accustomed to accepting excessive permission requests from the apps they download. Typically, they don't have a choice in the matter -- if they want the app, they have to agree to the permissions.

By Elias Manousos
08/19/14 10:03 AM PT

Traditional attack methods, like those used with the recent mobile online banking Trojan Svpeng, involve the installation of malware on the device to steal information and commit fraud.

However, new techniques are emerging that would enable an attacker to compromise a device and steal private information from the owner -- for example, the typical copycat app on a third-party app store. It looks official. It has a corporate logo on it and perhaps a link to the genuine news feed from that corporation.

Once downloaded, it prompts the user to accept a long list of permissions -- for accessing the phone's camera, recording audio, accessing the device's contact list, and a long list of other functions -- many of which offer at least potential access to confidential data.

Of course, there are legitimate reasons a given app might need those permissions to operate -- but they permit access to the same data that malware also would like to get at.

Walk Right In

Therein lies the problem. Unfortunately, anyone can download JPGs from a corporate website and wrap them around their own app in order to make it look official. Attackers increasingly are exploiting the trust users place in brand names and companies they do business with in order to commit fraud without the need to install any malware code.

For instance, applications with a billing interface easily can be used to steal financial information without employing malware, and without triggering any antivirus warning.

Meanwhile, users have gotten accustomed to accepting excessive permission requests from the apps they download, since novice software developers often find standard lists of permissions and install them in their code without trimming them.

Part of the problem is the lack of best practices related to types of permissions that are appropriate for different classes of apps. Typically, users don't have a choice in the matter -- if they want the app, they have to agree to the permissions.

This excessive permissions problem is widespread, as indicated by
recent security research on popular Android apps. (Most problem apps are in the Android environment, which is the most popular operating system for mobile devices.)

Sixty-eight percent of Android apps examined by security researchers required that the user grant permission to send SMS messages, according to Zscaler research. Of that 68 percent, 28 percent also were able to access SMS, putting them in a position to spy on mobile authentication methods.

Thirty-six percent required that the users grant the app permission to access the device's GPS data, leaving their location unsecure. Forty-six percent of the apps required permission to access the device's phone state.

Ten percent required permission to access the address book, which would put them in position to hijack. Four percent required permission to check the calendar, which would give them insight into upcoming events in the individual's life or where the person might be at a given date and time.

Playing Defense

For corporate users, exposure of data could lead to violations of various privacy requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), or even federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach-Bliley Act.

Meanwhile, out-and-out malware like the recently discovered Svpeng Trojan continues to proliferate and grow more insidious over time. This latest variant locks up the phone completely and demands a US$200 ransom to unlock it, although unlocking without a system erase appears unlikely. It has data-stealing code that may have been included for future use.

Again, there is nothing to stop someone from downloading selected JPGs, creating an official-looking app, and embedding a Trojan in it. The liability of the hoaxed corporation is undefined, but the damage to its reputation and goodwill is easily imagined.

Fortunately, there is a way for corporations to fight the problem, and prevent dangerous apps -- or blatant malware -- from circulating in their names. As it turns out, most such apps are acquired at third-party app stores, which number close to 90.

Some of these online stores are tightly policed and minimize the presence of malware or noncompliant apps. Others are marginally policed or even open to all comers, and anything is likely to be found there.

Services are available that can scan third-party app stores for apps that make inappropriate, unauthorized, or illegal use of corporate brands, as well as look for the presence of malicious or dangerous code by decompiling and analyzing suspicious apps.

There is a pressing need for such services -- 21 percent of financial services firms, which are the most exposed to mobile malware, never scan online app stores, Osterman Research found. On the other hand, 18 percent scan daily. Another 29 percent scan less than quarterly, while 4 percent do it quarterly, 7 percent do it monthly, and 21 percent do it weekly.

Since about half of mobile device users download apps, and the number of smartphone subscriptions is expected to rise to 4.5 billion in 2018, this problem is not going away.